Yoryantra
← Back to Tools

HMAC Generator

Generate an HMAC SHA-256, SHA-384, or SHA-512 value from UTF-8 text and a shared secret directly in your browser.

Generated HMAC Signature

Generated HMAC signature will appear here...

Privacy Note

HMAC generation happens locally inside your browser using the Web Crypto API. Avoid using live production secrets in browser tools. Matching another system also requires the same text encoding, exact message bytes, secret bytes, algorithm, and output format.

Generating HMAC Signatures for API Requests

HMAC values are commonly used when APIs, webhook providers, and backend services need to detect message changes using a shared secret.

HMAC stands for Hash-based Message Authentication Code. A verifier can recalculate the value with the same secret and message bytes. A match supports integrity and shared-secret authentication, but it does not encrypt the message.

This generator treats the message and secret as UTF-8 text and returns lowercase hexadecimal output. Other systems may expect Base64, binary keys, canonicalized JSON, timestamps, or prefixed request data, so follow the exact signing specification you are testing.

Supported HMAC Algorithms

  • HMAC SHA-256 — Commonly used in APIs, JWT workflows, and webhook verification.
  • HMAC SHA-384 — Higher-length SHA-2 family signing algorithm.
  • HMAC SHA-512 — Strong long-length signing algorithm for advanced security workflows.

How to Use the HMAC Generator

  1. Enter the message or request payload.
  2. Enter the secret signing key.
  3. Select the desired HMAC algorithm.
  4. Click Generate HMAC to create the signature.

Common Use Cases

  • Generating signed API requests.
  • Verifying webhook payload integrity.
  • Testing authentication workflows.
  • Generating request authentication codes for testing.
  • Debugging backend verification systems.
  • Building signed communication between services.
  • Verifying that request payloads were not modified.

Example HMAC Signature

Payload:

{"user":"varun","action":"login"}

Secret key:

my-secret-key

Generated HMAC SHA-256:

ab5b21516c2ad6eb5f6bd3ec23f9c026a8bb782a1ffa44d322b3e9412575f98e

Why HMAC Signatures Matter

  • Shared-secret authentication: A matching HMAC shows that the sender had access to the same secret, assuming the secret has remained private.
  • Integrity protection: Modified payloads produce different signatures.
  • API security: Many authentication systems rely on signed requests.
  • Webhook verification: HMAC signatures help validate trusted event payloads.

Frequently Asked Questions

What is HMAC?

HMAC stands for Hash-based Message Authentication Code. It uses a secret key together with a hashing algorithm to create a message authentication code.

Is HMAC used in APIs?

Yes. Many APIs and webhook systems use HMAC signatures to check message integrity and confirm that the sender had access to the shared secret.

Which HMAC algorithm should I use?

Follow the algorithm required by the API or system you are testing. HMAC SHA-256 is common, but the verifier and generator must use the same algorithm.

Why does my HMAC not match another service?

The message bytes, secret bytes, algorithm, and output encoding must match exactly. This tool uses UTF-8 text and lowercase hexadecimal output.

Is this HMAC Generator secure?

Generation runs locally with the browser Web Crypto API. Still, avoid entering live production secrets, and compare results with the exact signing rules used by the target system.

Is HMAC generation processed on the server?

No. HMAC generation happens entirely inside your browser.